If you are one of the many companies who use affects voice-over-internet-protocol (Voip) phones then you may find the results of a recent Security Researcher’s hacking experiment worrying.

Researchers Per Thorsheim Scott Helme, and Information Consultant Paul Moore set up and published online the results of an experiment designed to demonstrate how Voip phones have serious security vulnerabilities.

The fault occurs when Voip phones are set up and left with default settings and with the default password, where the phone does not require a special set of default credentials, and it where does not force you to set a password when setting the phone up. This is sadly an all-too-common occurrence, and one that means that no authentication is therefore required. This combined with the fact that Voip phones and desktop computers are connected to the same internet network in many businesses means that hackers are given a clear route in to the phone. Hackers can therefore take control of a Voip phone in these circumstances by embedding and running a small amount of JavaScript exploit code in a web page that the Voip phone user visits.

What Can The Hackers Do?

The researchers in this case proved that hackers using this method can use your phone to dial a premium-rate number, and at the same time disable the speaker so that you are unaware that it is happening. In fact this kind of hack can allow your Voip phone hacker to do almost anything they like with your phone including:

• Make, receive and transfer calls (even before it rings)
• Play recordings
• Upload new firmware
• Use your phone for covert surveillance i.e. eavesdropping
• Other kinds of social threats, interception and modification and service abuse.

Very Common Hack

Nettitude Research from 2015 helped to highlight how common this type of hack has become. A large amount of VoIP attacks were recorded worldwide, but in the UK the problem was (and very likely still is) very bad with attacks against VoIP services making up 67% of all attacks recorded against UK based servers.

What Can Be Done?

One important measure that phone vendors could take to minimise the risk of these attacks could be to supply devices with “default” credentials, and to make sure that all other functionality in the phone can be disabled until a suitably secure password is set to replace it. For businesses it is important to check that the right password protection has been provided during the set-up of the Voip phone(s), and to be aware of the risks that Voip phones can cause, despite their cost advantages.